Tarantella Enterprise 3 contains a locally exploitable symbolic link vulnerability during it's installation procedure. This vulnerability can be exploited to elevate privileges. An attacker anticipating the install of Tarantella could create a symbolic link to any file as '/tmp/spinning'. When the installation utility is run, the file pointed to by the link will be made world writeable. The attacker may gain root privileges by overwriting a file such as '/etc/passwd'.
A remotely exploitable buffer overflow condition exists in Ettercap. If a large packet is recieved and passed to some decoders, stack data may be overwritten, leading to execution of arbitrary code. This condition may be caused by associating Ettercap with an interface with a larger MTU than ethernet, or by sending a forged packet with a misleading data length field.
Sawmill creates the file AdminPassword with insecure default permissions on Solaris platforms. AdminPassword is created with world readable/writeable permissions, regardless of the password_file_permissions setting in the DefaultConfig file. The password_file_permissions in DefaultConfig are set to 600 by default, indicating that the AdminPassword file should only be readable/writeable by the owner of the file. A local attacker may exploit this condition to overwrite the AdminPassword file with attacker-supplied values. This effectively allows the attacker to gain unauthorized access to restricted Sawmill pages.
Apple QuickTime For Windows does not perform sufficient bounds checking of the 'Content-Type' header. This issue may be exploited if a server responds with a maliciously crafted 'Content-Type' header to a HTTP request for a media file. A 'Content-Type' header of 500+ characters is sufficient to trigger this condition, causing stack variables to be overwritten in the process.
A format string vulnerability in the locale subsystem of UnixWare could lead to a user gaining elevated privileges. A local user could potentially supply maliciously crafted message catalogs through the LC_MESSAGES environment variable. This could allow a local user to load arbitrary message catalogs into setuid or setgid programs, and execute arbitrary code with setuid/setgid privileges.
It has been reported that authentication for HP J3210A 10Base-T Switching Hubs may be bypassed by an unprivileged user who accesses one of the administrative web pages directly. The attacker may allegedly change the superuser password of the device via this interface and gain access to the administrative facilities of the device. Additionally, authentication credentials are disclosed to the attacker. Reportedly, the password is stored in plain text and can be revealed by viewing the source of the web page.
An information disclosure vulnerability has been reported to exist in OS/400 systems. An authenticated user may be able to obtain a list of all valid user accounts. The user must be running a 5250 emulator. The user may, after authentication, access the 'System Request' menu and obtain a list of all object names of type USRPRF. The 'System Request' feature is installed by default.
AtheOS is a freely available, open source operating system. It is distributed under the GPL, and maintained by the AtheOS project. Due to insufficient handling of relative pathes, a process in the change rooted directory may change directory using the dot-dot-slash (../) specifier. This would allow access to the system with the privileges of the change rooted process.
A buffer overflow error exists in hanterm. If it is called locally with a maliciously constructed parameter, it is possible to overflow a buffer. This can result in the return address of a stack frame being overwritten, and lead to the execution of arbitrary code. As hanterm runs suid root on some systems, exploitation of this vulnerability may result in a local root compromise.
Portix-PHP is freely available web portal software. It is written in PHP and will run on most Unix and Linux variants. Portix-PHP uses non-expiring cookies for session management. It is possible for a malicious user to manipulate values in their cookie to gain access to administrative pages on the web portal. Successful hijacking of the administrative account will permit the malicious user to access all of the web portal's administrative facilities. Change the values in the stored cookie to the following: name=access value=ok
Services By CQR